PCI Services

Gap Analysis

InteliPath will perform a gap analysis and perform the required testing to be able to inform the client of the controls that need remediation to achieve PCI compliance. The assessment will include a review of the cardholder production network (including vulnerability and penetration testing) and supporting technical documentation. The assessment process may include interviews with company personnel to determine what PCI requirements are in place and where remediation is required.

The first phase of the project will involve reviewing and validating the current cardholder network environment, policies and procedures against the PCI Data Security Standard (DSS). The methodology for validation will include:

Review of current cardholder environment technology and security features

Mapping touch points to the corporate network

Examining access points and network components for security shortcomings from a PCI perspective

Scans and penetration tests to validate that the client has attained an appropriate level of security

For this phase, ControlCase consultants will require the following documentation from the client:

Current network diagrams of the appropriate environments with respect to cardholder data

Firewall/router configuration details

Data retention and disposal procedures

Policy and Procedures for physical security

Encryption Key Management Policy

Incident Response Policy

Password Policy

Change Control Policy

Build/Patch Policy

Internal Security Testing Procedures

ControlCase will provide standard templates for the above mentioned policies and procedures, if so desired by the client. Remediation plan and support (Steps 4 & 5):

InteliPath will keep a track of all remediation efforts and provide monthly status report to the client for the remediation steps. During this time, client is expected to implement PCI controls and inform ControlCase continuously of all remediation measures. Certification (Steps 6 to 9):

InteliPath will, as required for the project, deploy a PCI audit team of qualified personnel to carry out an on-site security assessment. After going through internal quality procedures the client will be issued a Report on Compliance (ROC) and appropriate certification will be submitted to various credit card brands.

Certification requirements are dependent on the level of the service providers. Following are the certification requirements from Visa and MasterCard.